Applying the same due diligence to every third party is not rigorous. It is inefficient — and it leaves the highest-risk relationships under-scrutinised.
One of the more counterintuitive features of well-designed third-party due diligence is that it does not do the same thing for every third party. A supplier of standard office consumables in a low-risk domestic market and a sales agent operating in a high-risk jurisdiction with discretionary authority to negotiate contracts on the company's behalf are both third parties. They are not remotely comparable as compliance risks. Applying the same due diligence process to both wastes resources on the first and almost certainly under-invests in the second.
Risk tiering is the mechanism that resolves this. It assigns each third-party relationship to a risk tier — typically three levels — based on a structured assessment of the factors that drive integrity risk in that specific relationship. The due diligence conducted is then calibrated to the tier: proportionate, risk-based, and defensible to a regulator or auditor who asks why a particular level of scrutiny was or was not applied.
The proportionality principle is not a licence to do less. It is a framework for doing the right amount for each relationship — which sometimes means doing substantially more than a generic screening process would produce, and sometimes means doing less. The critical discipline is that the decision about how much to do is driven by analysis of the risk, not by convenience, commercial pressure, or the assumption that relationships that have existed for a long time do not need to be reassessed.
What the risk assessment actually measures.
The risk factors that determine a third party's tier can be grouped into four categories. The first is country risk: the corruption risk profile of the jurisdiction in which the third party operates, as assessed by objective sources including Transparency International's Corruption Perceptions Index, the TRACE Bribery Risk Matrix, and sector-specific intelligence. A third party operating in a jurisdiction with a CPI score below 50 warrants elevated scrutiny regardless of other factors.
The second is interaction risk: the nature and frequency of the third party's interaction with government officials or public sector entities. A third party whose core function involves securing permits, licences, customs clearances, or public contracts — or who is the primary interface between the company and a state-owned entity — carries interaction risk that is among the most significant indicators of corruption exposure in any risk tiering model.
The third is commercial risk: the nature of the commercial arrangement, including the compensation structure, the level of discretion the third party holds, and the transparency of the revenue flows through the relationship. High commissions, success fees tied to contract awards, and structures that provide limited visibility into how the third party uses the funds it receives are all elevated risk indicators. A distributor that purchases and resells the company's products carries different risk from an agent who receives commissions for business introduced.
The fourth is relationship risk: factors specific to the third party itself — its ownership structure, its reputation, its track record, any adverse media or legal proceedings, and the quality of its own compliance infrastructure. A third party with opaque beneficial ownership, a history of government investigations, or no discernible compliance programme carries relationship risk that elevates its tier regardless of the other factors.
The risk tiering process is most useful when it produces outcomes that surprise the compliance function — when a relationship that the business considers routine is assessed as high-risk based on the factors, or when a relationship that has always been treated as high-priority turns out to carry a lower risk profile than assumed. A risk tiering model that consistently confirms existing assumptions about the portfolio is probably not being applied with sufficient analytical independence.
The highest-risk relationships demand a qualitatively different process.
For relationships assigned to the highest risk tier, enhanced due diligence is not simply more of what the standard process produces. It is a qualitatively different engagement — one that goes beyond database screening and questionnaire responses to develop an independent picture of who the third party is, how it operates, and what it does with the resources the company provides.
Enhanced due diligence typically involves: a detailed questionnaire covering ownership and beneficial interest, key personnel, government relationships, regulatory history, and compliance programme; verification of corporate registration, financial standing, and the identities of beneficial owners; adverse media screening across multiple sources and languages; direct reference checks with parties who have worked with the third party in similar roles; and, for the highest-risk relationships, an enhanced review conducted by a specialised provider with the resources to conduct in-country research that an internal process cannot replicate.
The output of enhanced due diligence is not a score or a recommendation. It is a finding — a structured assessment of what the process revealed, what it did not resolve, and what risk-mitigation measures the compliance function recommends as conditions of engagement. These conditions — contractual representations, audit rights, anti-corruption training requirements, periodic recertification — become part of the relationship structure rather than being treated as optional additions.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. Organisations seeking specific guidance should consult qualified legal counsel in the relevant jurisdiction.
Bu Makaleyi İndirin
Çevrimdışı okumak için bir PDF kopyası kaydedin veya faydalı bulabilecek bir meslektaşınızla paylaşın.